Transcription
AWS Secrets ManagerUser Guide
AWS Secrets Manager User GuideAWS Secrets Manager: User GuideCopyright Amazon Web Services, Inc. and/or its affiliates. All rights reserved.Amazon's trademarks and trade dress may not be used in connection with any product or service that is notAmazon's, in any manner that is likely to cause confusion among customers, or in any manner that disparages ordiscredits Amazon. All other trademarks not owned by Amazon are the property of their respective owners, who mayor may not be affiliated with, connected to, or sponsored by Amazon.
AWS Secrets Manager User GuideTable of ContentsWhat is Secrets Manager? . 1Basic scenario . 1Features . 2Programmatically retrieve encrypted secret values at runtime . 2Store different types of secrets . 2Encrypt your secret data . 3Automatically rotate your secrets . 3Control access to secrets . 4Compliance with standards . 4Pricing . 6Support and feedback . 6Access Secrets Manager . 8Secrets Manager console . 8Command line tools . 8AWS SDKs . 8HTTPS Query API . 9Get started . 10Secrets Manager concepts . 10Secret . 10Rotation . 11Version . 11Tutorials . 12Tutorial: Create and retrieve a secret . 12Permissions . 12Step 1: Create a secret . 12Step 2: Retrieve a secret . 13Step 3: Cleanup resources . 13Related resources . 13Tutorial: Single user rotation . 14Permissions . 14Prerequisites . 14Step 1: Connect with original password . 18Step 2: Create a Secrets Manager endpoint . 18Step 3: Rotate the secret . 18Step 4: Test the rotated password . 19Step 5: Clean up resources . 19Next steps . 20Tutorial: Alternating users rotation . 20Permissions . 20Prerequisites . 21Step 1: Create an Amazon RDS database user . 21Step 2: Create a secret for the user credentials . 21Step 3: Test the rotated secret . 22Step 4: Clean up resources . 22Next steps . 23Authentication and access control . 24Secrets Manager administrator permissions . 24Permissions to access secrets . 24Permissions for Lambda rotation functions . 24Permissions for encryption keys . 24Attach a permissions policy to an identity . 25Attach a permissions policy to a secret . 25AWS CLI . 25AWS SDK . 26iii
AWS Secrets Manager User GuideAWS managed policy .Determine who has permissions to your secrets .Cross-account access .Permissions policy examples .Example: Permission to retrieve secret values .Example: Wildcards .Example: Permission to create secrets .Example: Permissions and VPCs .Example: Control access to secrets using tags .Example: Limit access to identities with tags that match secrets' tags .Example: Service principal .Permissions reference .Secrets Manager actions .Secrets Manager resources .Condition keys .BlockPublicPolicy condition .IP address conditions .VPC endpoint conditions .Create and manage secrets .Create a database secret .AWS CLI .AWS SDK .JSON structure of a database secret .Create a secret .AWS CLI .AWS SDK .Modify a secret .AWS CLI .AWS SDK .Find secrets .AWS CLI .AWS SDK .Delete a secret .AWS CLI .AWS SDK .Restore a secret .AWS CLI .AWS SDK .Replicate a secret to other Regions .AWS CLI .AWS SDK .Promote a replica secret to a standalone secret .AWS CLI .AWS SDK .Tag secrets .AWS CLI .AWS SDK .AWS CloudFormation .Create a simple secret .Create a secret with Amazon RDS credentials .Create a secret with Amazon RDS credentials with automatic rotation .Create a secret with Amazon Redshift credentials with automatic rotation .Create a secret with Amazon DocumentDB credentials with automatic rotation .Retrieve secrets in code .Connect to a SQL database .Java applications .SecretCache 36367737884848788
AWS Secrets Manager User GuideSecretCacheConfiguration . 89SecretCacheHook . 91Python applications . 92SecretCache . 93SecretCacheConfig . 94SecretCacheHook . 94@InjectSecretString . 95@InjectKeywordedSecretString . 95.NET applications . 96SecretsManagerCache . 97SecretCacheConfiguration . 99ISecretCacheHook . 99Go applications . 100type Cache . 101type CacheConfig . 102type CacheHook . 102Retrieve secrets in AWS services . 103AWS Batch . 103AWS CloudFormation . 103Example: Use a secret to set a database password . 104Amazon ECS . 105Amazon EKS . 105Install the ASCP . 105Step 1: Set up access control . 106Step 2: Mount secrets in Amazon EKS . 106SecretProviderClass . 106Tutorial . 108AWS IoT Greengrass . 110Parameter Store . 110Rotate secrets . 111Rotation strategies . 111Single user . 111Alternating users . 112Amazon RDS, Amazon DocumentDB, or Amazon Redshift secret . 113AWS CLI . 114AWS SDK . 115Other type of secret . 115AWS SDK and AWS CLI . 116AWS SDK . 116Schedule expressions . 116Rate expressions . 116Cron expressions . 117Rotate a secret immediately . 118AWS SDK and AWS CLI . 118AWS SDK . 118How rotation works . 118Network access for rotation . 119Permissions for rotation . 120Lambda function resource policy . 121Lambda function execution role inline policy . 121Customize a rotation function . 123Rotation function templates . 124Amazon RDS databases . 124Amazon DocumentDB databases . 127Amazon Redshift . 127Other types of secrets . 128Troubleshoot rotation . 128v
AWS Secrets Manager User GuideI want to find the diagnostic logs for my Lambda rotation function .I get "access denied" when trying to configure rotation for my secret .My first rotation fails after I enable rotation .Rotation fails because the secret value is not formatted as expected by the rotation function. .Secrets Manager says I successfully configured rotation, but the password isn't rotating .Rotation fails with an "Internal failure" error message .CloudTrail shows access-denied errors during rotation .My database requires an SSL/TLS connection but the Lambda rotation function isn't usingSSL/TLS .VPC endpoint .Considerations for Secrets Manager VPC endpoints .Creating an interface VPC endpoint for Secrets Manager .Creating a VPC endpoint policy for Secrets Manager .Monitor secrets .Logging with AWS CloudTrail .AWS CLI or SDK .Examples of Secrets Manager log entries .Monitoring with CloudWatch .Create alarms to monitor Secrets Manager requests .Secrets Manager events .Amazon CloudWatch Synthetics canaries .Monitor secrets scheduled for deletion .Compliance validation .Audit secrets for compliance by using AWS Config .Aggregate secrets from your AWS accounts and AWS Regions .Services that use Secrets Manager secrets .Alexa for Business .AWS App2Container .Amazon AppFlow .AWS AppSync .Amazon Athena .AWS CodeBuild .AWS Directory Service .Amazon DocumentDB .AWS Elemental Live .AWS Elemental MediaConnect .AWS Elemental MediaConvert .AWS Elemental MediaPackage .AWS Elemental MediaTailor .Amazon EMR .Amazon EventBridge .Amazon FSx .AWS Glue DataBrew .AWS Glue Studio .AWS IoT SiteWise .Amazon Kendra .AWS Launch Wizard .Amazon Lookout for Metrics .Amazon Managed Streaming for Apache Kafka .Amazon Managed Workflows for Apache Airflow .AWS OpsWorks for Chef Automate .Amazon RDS .Amazon Redshift .Amazon SageMaker .AWS Toolkit for JetBrains .AWS Transfer Family 148148149149149150150
AWS Secrets Manager User GuideSecurity in Secrets Manager .Best practices
the password. Secrets Manager allows you to store multiple sets of these credentials at the same time. Secrets Manager stores each set in a different version of the secret. During the secret rotation process, Secrets Manager tracks the older credentials, as well as the new credentia
